[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKE v1 multiple ISAKMP SAs

To: <ipsec@lists.tislabs.com>
Subject: IKE v1 multiple ISAKMP SAs
From: "Saket Dandawate" <sdandawate@pace.stpp.soft.net>
Date: Tue, 14 May 2002 10:50:24 +0530
Sender: owner-ipsec@lists.tislabs.com

hi Kousik & Rob

    According to you both 2 ISAKMP SAs are possible and cookies would
specify which ISAKMP SA was used.
But i want to know
    1. whether it is absolutely necessary that i have to give support for
multiple ISAKMP SAs.
        Consider scenarios where there are memory constrains. Could you
suggest me some scheme where i can avoid multiple ISAKMP SAs.
    2. Also i want to know what do you do when ISAKMP SA expires.
        Do you remove them or refresh the existing ISAKMP SA with new
information.

Also can you justify multiple ISAKMP SAs existence.

Thanks and regards
Saket


Yes, it is, and it can happen because "A" and "B" decide to simultaneously
initiate phase 1.  It can also happen because "A" notices that there is
not very much time left on the SA and establishes a second SA (or a third,
or fourth...).  As a result, the phase 2 SAs MUST be able to identify the
phase 1 SA used to create them (for delete and error notification purposes).

Additionally, you will have to decide (we allow the user to set either
option) if you will allow phase 2 SA's to 'dangle' past the lifetime of the
phase 1 SA.

While it is very complicated, you might want to look at the Kame, FreeSWAN,
or NetBSD code to see what they have done.

Hope this helps,
rwt
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Saket Dandawate
> Sent: Thursday, May 09, 2002 9:52 PM
> To: ipsec@lists.tislabs.com
> Subject: IKE v1 are multiple ISAKMP SA allowed
>
>
> Hi,
>
> I am implementing IKE v1 and i have few queries regarding ISAKMP SA
> formation. Is it possible to have 2 ISAKMP SAs between the
> same two peers.
>
> Consider the following case.
>
> 1. "A"  peer places request for ISAKMP SA negotiation.
> 2. Peer "B" also places request for ISAKMP SA negotiation at
> the same time.
>
> So, at the same instance two Main Mode negotiations start.
> RFC 2409 says
> that after Main mode negotiation the IPsec SAs can be
> exchanged by either
> sides. So it sound logical to have only 1 main mode
> negotiation. So what do
> we do if two Main Mode's start simultaneously?  If we have to
> discard one
> Main Mode which one should we discard?
>
> rfc 2409 doesnt say anything about multiple ISAKMP SA.
>
> thanks and regards
> Saket
> PSS pune
>
>

Prev by Date: Re: Ikev2 Traffic Selector payload
Next by Date: Use message ID with local significance
Prev by thread: RE: NAT Traversal - Manual key remote user
Next by thread: Use message ID with local significance
Index(es):
- Date
- Thread